About S.Cantwell

@brucegarlock    I have been running 9.x.x since the initial release.  It has great features. What concerns do you have, that we, in the community, can address or talk about, to ease your fears.   I am already at 9.1.0, with no issues (yet.  :P).     ... View more

Hello   You can use/program access routes to push down the public IPs.     What I don't understand (maybe I do not need to know), but it seems weird to need to hit a public IP via GP vs using NAT to transit traffic through the FW (so that is appears that it came from inside your network, but actually came from your GP clients), to hit the public IPs.   Would be glad to have you provide more details as needed, but I did answer your query.  😛     ... View more

While the community responds back, can you confirm you saw my comment about looking at the authd.log file to determine why AD is having an issue?   I am not quick to say it is because of GP, because the auth failure is coming from AD.  Can you try to make a test local account and confirm that local auth is working fine?  If you can do this, and then it fails when you try to use AD auth, then it goes to make sense, that something is not correct.  Maybe in 5.1 the incorrect username is being passed to the AD server for auth.   Please advise.  ... View more

There is better chip sets in the newer hardware, so I am not immediately aware of where the issue could be at.         ... View more

Ok, so then... install the trusted root CA (which should be a public certificate, and should be able to get it....)  As a matter of fact, if it IS a public CA, then your TCA store (for windows) should be able confirm if the required TCA is there.  If not, then add it.   Seems more like PANW is making their software more secure by checking for TCAs.   Or you can downgrade if you want.    What response are you looking for, from the community members? ... View more

How about setting up a filter in the Packet Filter portion of the FW (not referring to the capture stages.... to be clear).   then you can do something like   expedition@PA-220> show counter global filter packet-filter yes + aspect Counter aspect + category Counter category + delta Difference from last read + severity Counter severity + value value | Pipe through a command And you can see whatever granular info you would like, because your filter is for the IP of the device in question... you can get cps then, (or similar)    ... View more

Keep in mind that the FW does local auth (local accounts), but other 3rd party auth (LDAP/Radius), the FW will be passing back the auth success/fail messages to you.   I would check the authd.log on the firewall.   less mp-log authd.log   This will show you the authd.log entries   You can issue a "/" command to search for a user /steve   2019-11-18 11:07:43.586 -0500 debug: _parse_adminusers(pan_auth_cfg_parse_util.c:348): "steve" user doesn't have a password 2019-11-18 11:07:43.586 -0500 debug: _parse_adminusers(pan_auth_cfg_parse_util.c:359): "steve" user entry missing password profile 2019-11-18 11:07:43.586 -0500 debug: _parse_adminusers(pan_auth_cfg_parse_util.c:370): "steve" user entry missing authentication profile   you could search on /failed  to help you find challenges.   Hope this helps you.   ... View more

ECMP  = Equal Cost... with Dual ISP.   By your design, you are agreeing/wanting for the FW to load-share between Eth1 and Eth2. If you do not want this, then turn on the ECMP function, and only let the traffic go out via eth1. If the VPN fails, then there should be a Monitor Profile, that the VPN can use, to initiate a backup tunnel on eth2.   ... View more

Graceful restart allows a routing device undergoing a restart to inform its adjacent neighbors and peers of its condition. During a graceful restart, the restarting device and its neighbors continue forwarding packets without disrupting network performance. Because neighboring devices assist in the restart (these neighbors are called helper routers), the restarting device can quickly resume full operation without recalculating algorithms.   When a device enabled for OSPF graceful restart restarts, it retains routes learned before the restart in its forwarding table. The device does not allow new OSPF link-state advertisements (LSAs) to update the routing table. This device continues to forward traffic to other OSPF neighbors (or helper routers), and sends only a limited number of LSAs during the restart period. To reestablish OSPF adjacencies with neighbors, the restarting device must send a grace LSA to all neighbors. In response, the helper routers enter helper mode (the ability to assist a neighboring device attempting a graceful restart) and send an acknowledgment back to the restarting device. If there are no topology changes, the helper routers continue to advertise LSAs as if the restarting device had remained in continuous OSPF operation. ... View more

Hello!   I thought that you could only do HIP checks (like looking at the SN, wherever it is found) AFTER the license was purchased. Is there something that has changed?   So I am not sure how you can test this adequately, because HIP is how it should be done with GP.   Let's keep working together towards a resolution.     ... View more

Feel free to share out a few screen captures.   For us that volunteer our time, as customers of PANW, I am not sure we can provide a proper response. I did my best effort, based on my FW sessions, but future experiences may be different.  😛 ... View more